Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
Highlighted
xme Absent Member.
Absent Member.
2561 views

Logger: Generate an alert if no event is received from a SmartConnector

Hi *,

I'm looking for a solution to generate an alert if NO event is received from a SmartConnector after a defined period of time.

When you define alerts on the Logger, you can specify a "Match Count" and a "Threshold" to match if an Event occur.

In my case, I'd like to alert if an Event did NOT occur (ex: no event received for 4 hours).

Maybe is there other ways to detect if a SmartConnector does not feed the Logger with events?

Regards,

Xavier

Labels (2)
0 Likes
Reply
14 Replies
MarkR1 Absent Member.
Absent Member.

Re: Logger: Generate an alert if no event is received from a SmartConnector

If your logger forwards those events to ESM you could play around with the On Time Window expiration rule action. Last time I tried that using a one list approach to ultimately do what you are trying though I discovered a bug with the thing that I don't know has been fixed.

The bigger issues is I don't think there is any sort of correlation ability w/in Logger itself although I haven't played around with its alerting functionality.

0 Likes
Reply
xme Absent Member.
Absent Member.

Re: Logger: Generate an alert if no event is received from a SmartConnector

Hello Mark,

Thank for the feedback! Unfortunately, the Logger does not forward events to an ESM.

0 Likes
Reply
spark8888 Absent Member.
Absent Member.

Re: Logger: Generate an alert if no event is received from a SmartConnector

Here is a possible solution for you ...

We have a feature called "device status monitoring" on the connectors. When you set this, you specify a time interval that you want the connectors to report on say for example every 2 hours (note that the time inserted is in milliseconds). Essentially what you get when you turn this on is a an event for each device that the connector receives events from showing A) The total events since starting (custom number 1) and B) The total events since last check (custom number 2).

The event is found by searching for deviceEventClassId=agent:043

What you then do is create a rule / alert to check for when the since last check (or delta) is zero. This would mean that since it last reported no events were received.

Cheers

Mark

0 Likes
Reply
xme Absent Member.
Absent Member.

Re: Logger: Generate an alert if no event is received from a SmartConnector

Hello Mark(2),

In the mean time, I opened a case and got a similar answer! (the engineer answered and referred to KB article #1319).

I'll now test this in a lab environment.

Regards,

Xavier

0 Likes
Reply
spark8888 Absent Member.
Absent Member.

Re: Logger: Generate an alert if no event is received from a SmartConnector

Not sure if they mention this in the KB, but there are a couple of things that you want to watch out for:

1) That you specify a time interval that is valid (e.g. if you have a batch file drop every 24 hours, you'll need to set the interval to 25 hours)

2) The connector will generate an event for each sub-parser from the same device as well (e.g. Unix / Unix and Unix / Sendmail) will be 2 events from the connector, and if you are not using email all that often it can lead to false positives

3) You'll also get events for ArcSight, so you'll need to filter those out.

0 Likes
Reply
xme Absent Member.
Absent Member.

Re: Logger: Generate an alert if no event is received from a SmartConnector

In parallel to my post in Protect724, I opened a case and got a nice solution from the ArcSight support. It has been implemented successfully.

On the Logger itself, you can monitor if the EPS flow drops to zero using a combination of a filter and an alert.

Instead of detecting a non-incoming events condition at SmartConnector level, I prefer to keep the "intelligence" at the Logger level.

In this case, if the SmartConnector is unavailable, the Logger will still be able to detect the bad situation.

A Logger comes with a set of pre-defined system filters. One of them is called "System Alert - Zero Event Incoming". You will find it via "Configuration -> Settings -> Filters". In the regex, you will see that this filter matches a non-incoming event condition for *ALL* receiver at the

same time. The goal is to create a copy of this filter and restrict the search to the only one Receiver.

Duplicate the filter and change change the regex to:

CEF:0.*cat=/Monitor/Receiver/One/EPS.*cs3=receivername.* cn1=0.*

Replace "receivername" with your Receiver. Warning, this is case sensitive!

Now, create a new alert which will use the brand new filter via the menu "Configuration -> Settings -> Alerts".

The match count and threshold must be carefully tested. Some finetuning will be required (depending on how the SmartConnector sends events to the Logger)

The only limitation will be that the monitored Receiver must receive events only from one SmartConnector! (1-to-1 relation) Otherwise, it won't be possible to know which SmartConnector is in trouble.

Regards,

Xavier


0 Likes
Reply
vikraoo Absent Member.
Absent Member.

Re: Logger: Generate an alert if no event is received from a SmartConnector

Hi Xavier,

You have really posted a wonderful solution as we suffer this situation in all environment. We tried to implement the above solution in our logger but we are not getting alert on mails or elsewhere. Kindly let us know how to configure alert setting i.e. Match count, threshold etc.

We have some connectors which stops sending logs frequently but we don't have any mechanism to act on it on proactive basis. Thanks in advance.

Vikram

0 Likes
Reply
francois.devare Contributor.
Contributor.

Re: Logger: Generate an alert if no event is received from a SmartConnector

Hi,

Anyone go this working? I've tried everything i know and nothing works. I don't get any alerts, event if a manually stop a Windows Unified Log Agent.

Thanks for your help.

0 Likes
Reply
coleste Absent Member.
Absent Member.

Re: Logger: Generate an alert if no event is received from a SmartConnector

Would it be possible for you to post the link or content to this article? I realize this is from 2010 when it was still ArcSight. Looks like HP has changed the naming convention.

0 Likes
Reply
coleste Absent Member.
Absent Member.

Re: Logger: Generate an alert if no event is received from a SmartConnector

I have tried real time alerts and saved search alerts. I do get email. My problem is limiting the number of email that I get. I want to receive one email if a receiver has been down for 12 hours. I have been unsuccessful thus far.

0 Likes
Reply
coleste Absent Member.
Absent Member.

Re: Logger: Generate an alert if no event is received from a SmartConnector

Did you mean cs6 instead of cs3?

0 Likes
Reply
Super Contributor.. neil.desai@hpe. Super Contributor..
Super Contributor..

Re: Logger: Generate an alert if no event is received from a SmartConnector

Coleste,

I think the level of logic that you want to implement requires ESM. Logger is not capable of handling that type of logic. It has a basic alerting mechanism, but nothing compared to ESM.

Neil

0 Likes
Reply
marcony1 Respected Contributor.
Respected Contributor.

Re: Re: Logger: Generate an alert if no event is received from a SmartConnector

Hi,

logger appliance is able to generate alert, in case when some receiver is not receiving events for some time. Due to administration guide (v5.5 SP1, possibly previous versions as well), there are some useful system internal events on logger appliance:

Group  Device Event Category                            Device Event Class Id

EPS        /Monitor/Receiver/EPS/All                          eps:100

/Monitor/Receiver/EPS/Individual                eps:102

/Monitor/Forwarder/EPS/All                        eps:101

/Monitor/Forwarder/EPS/Individual                eps:103

I tried in my test lab, to create alert, when syslog smartconnector is not sending events (i.e., when logger is not receiving events in receiver which is configured within syslog smartconnector).

Having only few devices configured to send syslog events in my lab, I reconfigured all of them, in order to not send events (for some time). Then, I configured logger, in following way:


System Admin >> SMTP: configure correct SMTP server, and sending email address

Configuration >> Alerts: Query should be: CEF:0.*cat=/Monitor/Receiver/EPS/Individual.*cn1=0.*cs6=SyslogRcv.*

                                        Match count: 2 (for example)

                                        Threshold: 180 (for example)

                                        Email address: adress of mail recepient

                                        Name: whatever you want to be in subject of message

Whan you save alert, don't forget to enable it!


Note: in my lab, I tested with 2 events received within 3 minutes. In fact, when checking how often logger generates these internal events, I found out that it happened each minute. If your environment is generating very large number of syslog events, and you are using UDP protocol, then you'll probably want to be informed as soon as there are no syslog events received on logger. That might happen probably due to some network issues, or some issue on syslog smartconnector. Therefore, you should use smaller numbers for match count. Have in mind that you should fine tune these parameters, in order not to be overload with huge number of email messages...


All these was tested and confirmed. So, in short, logger is capable of generating alerts whne no event is received from a smartconnector.


Marcony


0 Likes
Reply
oscar Absent Member.
Absent Member.

Re: Re: Logger: Generate an alert if no event is received from a SmartConnector

Hi Marcony,

I have done some tests in my lab and I have checked that the parameter deviceCustomNumber1 is not correct for some devices when I search by eps:102 (i.e. deviceEventCategory CONTAINS "/Monitor/Receiver/EPS/Individual").

For example, the parameter deviceCustomNumber1 is always 0 for the following receivers:

- Unix (Syslog type)

- Cisco ACS (Syslog type)

But I can see many logs from these receivers.

I have more Syslog type receivers (Cisco ASA, IronPort,...) and the deviceCustomNumber1 value is correct.

Have you seen this error before?

Thanks,

Oscar.

0 Likes
Reply
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.